Description:
Multiple vulnerabilities were reported in Mac OS X. A remote user can cause arbitrary code to be executed on the target user's system. A local user can obtain system privileges on the target system. A remote user can conduct cross-site scripting attacks. A local user can obtain potentially sensitive information.

A local user can invoke the mount_smbfs and smbutil applications to trigger a stack overflow and execute arbitrary code with system privileges [CVE-2007-3876]. Versions 10.5 and later are not affected. Sean Larsson of VeriSign iDefense Labs reported this vulnerability.

A remote user can create specially crafted HTML that, when loaded by the target user, will trigger a format string flaw in the Address Book URL handler and execute arbitrary code on the target system [CVE-2007-4708]. The code will run with the privileges of the target user. Versions 10.5 and later are not affected.

A remote user can create specially crafted HTML that, when loaded by the target user, will trigger a path traversal flaw in CFNetwork and cause files to be automatically downloaded to arbitrary locations with the privileges of the target user [CVE-2007-4709]. Versions prior to 10.5 are not affected. Sean Harding reported this vulnerability.

A remote user can create an image with a specially crafted embedded ColorSync profile that, when loaded by the target user, will trigger a buffer overflow and execute arbitrary code on the target system [CVE-2007-4710]. The code will run with the privileges of the target user. Versions 10.5 and later are not affected. Tom Ferris of Adobe Secure Software Engineering Team (ASSET) reported this vulnerability.

Launch Services does not properly filter HTML code from user-supplied input before displaying the input [CVE-2007-5854]. A remote user can create a specially crafted HTML that, when loaded by a target user, will cause arbitrary scripting code to be executed by the target user's browser. The code will be able to access information on the target user's system. Michal Zalewski of Google Inc. reported this vulnerability.

A local user can exploit a race condition in the CoreFoundation CFURLWriteDataAndPropertiesToResource API to cause files to be created with insecure permissions [CVE-2007-5847]. As a result, a local user may be able to obtain potentially sensitive information. Versions 10.5 and later are not affected.

A remote user can create a specially crafted '.DS_Store file' that, when opened via Finder by the target user, will trigger a heap overflow in Desktop Services and execute arbitrary code [CVE-2007-5850]. The code will run with the privileges of the target user. Versions 10.5 and later are not affected.

A remote user can create a disk image with specially crafted GUID partition maps that, when opened by the target user, will trigger a memory corruption error in the IO Storage Family code and execute arbitrary code [CVE-2007-5853]. Versions 10.5 and later are not affected.

A remote user can create a specially crafted HTML file that, when previewed by the target user with QuickLook, will allow the remote user to initiate network requests to access potentially sensitive information [CVE-2007-5856]. Versions prior to 10.5 are not affected.

A remote user can create a specially crafted movie file that, when previewed by the target user with QuickLook, will allow URLs within the movie to be accessed [CVE-2007-5857]. Versions prior to 10.5 are not affected. Versions prior to 10.5 are not affected. Also, systems with QuickTime 7.3 are not affected. Lukhnos D. Liu of Lithoglyph Inc. reported this vulnerability.

A local user can exploit a flaw in SpinTracer's handling of output files to execute arbitrary code with system privileges [CVE-2007-5860]. Versions prior to 10.5 are not affected. Kevin Finisterre of DigitalMunition reported this vulnerability.

A remote user can create a specially crafted '.xls' file that, when downloaded by the target user, will trigger a memory corruption error in the Microsoft Office Spotlight Importer and execute arbitrary code on the target system [CVE-2007-5861]. Versions 10.5 and later are not affected.

A remote user may be able to conduct a man-in-the-middle attack to hijack a target user's Software Update download session and execute arbitrary commands on the target user's system [CVE-2007-5863]. Moritz Jodeit reported this vulnerability.

A remote user can create a specially crafted email attachment that, when opened by the target user, will execute arbitrary code on the target user's system without warning due to a flaw in Launch Services [CVE-2007-6165]. The code will run with the privileges of the target user. Versions prior to 10.5 are not affected. Xeno Kovah reported this vulnerability.

Impact:
A remote user can create HTML or a file that, when loaded by the target user, will execute arbitrary code on the target user's system.

A local user can obtain system privileges on the target system.

A remote user can access information on the target user's system.

A local user can obtain potentially sensitive information.

Solution:
The vendor has issued a fix (APPLE-SA-2007-12-17 Security Update 2007-009 v1.1), available from from the Software Update pane in System Preferences, or Apple's Software Downloads web site at:

[Editor's note: The original security update 2007-009 issued on December 17, 2007 contained a performance issue that may cause Safari to crash. On December 21, 2007, Apple issued the revised security update 2007-009 v1.1. Customers should apply the new update.]

APPLE-SA-2007-12-17 Security Update 2007-009
New vulns:
SMB
CVE-ID: CVE-2007-3876
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11
Impact: A local user may be able to execute arbitrary code with
system privileges
Description: A stack buffer overflow issue exists in the code used
by the mount_smbfs and smbutil applications to parse command line
arguments, which may allow a local user to cause arbitrary code
execution with system privileges. This update addresses the issue
through improved bounds checking. This issue does not affect systems
running Mac OS X 10.5 or later. Credit to Sean Larsson of VeriSign
iDefense Labs for reporting this issue.
Address Book
CVE-ID: CVE-2007-4708
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11
Impact: Visiting a maliciously crafted website may lead to an
unexpected application termination or arbitrary code execution
Description: A format string vulnerability exists in Address Book's
URL handler. By enticing a user to visit a maliciously crafted
website, a remote attacker may cause an unexpected application
termination or arbitrary code execution. This update addresses the
issue through improved handling of format strings. This issue does
not affect systems running Mac OS X 10.5 or later.
CFNetwork
CVE-ID: CVE-2007-4709
Available for: Mac OS X v10.5.1, Mac OS X Server v10.5.1
Impact: Visiting a malicious website could allow the automatic
download of files to arbitrary folders to which the user has write
permission
Description: A path traversal issue exists in CFNetwork's handling
of downloaded files. By enticing a user to visit a malicious website,
an attacker may cause the automatic download of files to arbitrary
folders to which the user has write permission. This update addresses
the issue through improved processing of HTTP responses. This issue
does not affect systems prior to Mac OS X 10.5. Credit to Sean
Harding for reporting this issue.
ColorSync
CVE-ID: CVE-2007-4710
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11
Impact: Viewing a maliciously crafted image with an embedded
ColorSync profile may lead to an unexpected application termination
or arbitrary code execution
Description: A memory corruption issue exists in the handling of
images with an embedded ColorSync profile. By enticing a user to open
a maliciously crafted image, an attacker may cause an unexpected
application termination or arbitrary code execution. This update
addresses the issue by performing additional validation of images.
This issue does not affect systems running Mac OS X 10.5 or later.
Credit to Tom Ferris of Adobe Secure Software Engineering Team
(ASSET) for reporting this issue.
Core Foundation
CVE-ID: CVE-2007-5847
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11
Impact: Usage of CFURLWriteDataAndPropertiesToResource API may lead
to the disclosure of sensitive information
Description: A race condition exists in the
CFURLWriteDataAndPropertiesToResource API, which may cause files to
be created with insecure permissions. This may lead to the disclosure
of sensitive information. This update addresses the issue through
improved file handling. This issue does not affect systems running
Mac OS X 10.5 or later.
Desktop Services
CVE-ID: CVE-2007-5850
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11
Impact: Opening a directory containing a maliciously-crafted
.DS_Store file in Finder may lead to arbitrary code execution
Description: A heap buffer overflow exists in Desktop Services. By
enticing a user to open a directory containing a maliciously crafted
.DS_Store file, an attacker may cause arbitrary code execution. This
update addresses the issue through improved bounds checking. This
issue does not affect systems running Mac OS X 10.5 or later.
iChat
CVE-ID: CVE-2007-5851
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11
Impact: A person on the local network may initiate a video
connection without the user's approval
Description: An attacker on the local network may initiate a video
conference with a user without the user's approval. This update
addresses the issue by requiring user interaction to initiate a video
conference. This issue does not affect systems running Mac OS X 10.5
or later.
IO Storage Family
CVE-ID: CVE-2007-5853
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11
Impact: Opening a maliciously crafted disk image may lead to an
unexpected system shutdown or arbitrary code execution
Description: A memory corruption issue exists in the handling of
GUID partition maps within a disk image. By enticing a user to open a
maliciously crafted disk image, an attacker may cause an enexpected
system shutdown or arbitrary code execution. This update addresses
the issue through additional validation of GUID partition maps. This
issue does not affect systems running Mac OS X 10.5 or later.
Launch Services
CVE-ID: CVE-2007-5854
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11,
Mac OS X v10.5.1, Mac OS X Server v10.5.1
Impact: Opening a maliciously crafted HTML file may lead to
information disclosure or cross-site scripting
Description: Launch Services does not handle HTML files as
potentially unsafe content. By enticing a user to open a maliciously
crafted HTML file, an attacker may cause the disclosure of sensitive
information or cross-site scripting. This update addresses the issue
by handling HTML files as potentially unsafe content. Credit to
Michal Zalewski of Google Inc. for reporting this issue.
Quick Look
CVE-ID: CVE-2007-5856
Available for: Mac OS X v10.5.1, Mac OS X Server v10.5.1
Impact: Previewing a file with QuickLook enabled may lead to the
disclosure of sensitive information
Description: When previewing an HTML file, plug-ins are not
restricted from making network requests. This may lead to the
disclosure of sensitive information. This update addresses the issue
by disabling plug-ins. This issue does not affect systems prior to
Mac OS X 10.5.
Quick Look
CVE-ID: CVE-2007-5857
Available for: Mac OS X v10.5.1, Mac OS X Server v10.5.1
Impact: Previewing a movie file may access URLs contained in the
movie
Description: Creating an icon for a movie file, or previewing that
file using QuickLook may access URLs contained in the movie. This
update addresses the issue by disabling HREFTrack while browsing
movie files. This issue does not affect systems prior to Mac OS X
10.5, or systems with QuickTime 7.3 installed. Credit to Lukhnos D.
Liu of Lithoglyph Inc. for reporting this issue.
Spin Tracer
CVE-ID: CVE-2007-5860
Available for: Mac OS X v10.5.1, Mac OS X Server v10.5.1
Impact: A local user may be able to execute arbitrary code with
system privileges
Description: An insecure file operation exists in SpinTracer's
handling of output files, which may allow a local user to execute
arbitrary code with system privileges. This update addresses the
issue through improved handling of output files. This issue does not
affect systems prior to Mac OS X 10.5. Credit to Kevin Finisterre of
DigitalMunition for reporting this issue.
Spotlight
CVE-ID: CVE-2007-5861
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11
Impact: Downloading a maliciously crafted .xls file may lead to an
unexpected application termination or arbitrary code execution
Description: A memory corruption issue exists in the Microsoft
Office Spotlight Importer. By enticing a user to download a
maliciously crafted .xls file, an attacker may cause an unexpected
application termination or arbitrary code execution. This update
addresses the issue by performing additional validation of .xls
files. This issue does not affect systems running Mac OS X 10.5 or
later.
Software Update
CVE-ID: CVE-2007-5863
Available for: Mac OS X v10.5.1, Mac OS X Server v10.5.1
Impact: A man-in-the-middle attack could cause Software Update to
execute arbitrary commands
Description: When Software Update checks for new updates, it
processes a distribution definition file which was sent by the update
server. By intercepting requests to the update server, an attacker
can provide a maliciously crafted distribution definition file with
the "allow-external-scripts" option, which may cause arbitrary
command execution when a system checks for new updates. This update
addresses the issue by disallowing the "allow-external-scripts"
option in Software Update. This issue does not affect systems prior
to Mac OS X 10.5. Credit to Moritz Jodeit for reporting this issue.
Launch Services
CVE-ID: CVE-2007-6165
Available for: Mac OS X v10.5.1, Mac OS X Server v10.5.1
Impact: Opening an executable mail attachment may lead to arbitrary
code execution with no warning
Description: An implementation issue exists in Launch Services,
which may allow executable mail attachments to be run without warning
when a user opens a mail attachment. This update addresses the issue
by warning the user before launching executable mail attachments.
This issue does not affect systems prior to Mac OS X 10.5. Credit to
Xeno Kovah for reporting this issue.